Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:MODULE_RUN:unknown module name #27792

Closed
JustArchi opened this issue Nov 1, 2018 · 20 comments

Comments

@JustArchi
Copy link
Contributor

Hello.

Since a few days I'm getting rather weird situation of internal OpenSSL failures on my machine. In particular, this is the exception that I'm encountering since a few days:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. 
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. 
---> System.TypeInitializationException: The type initializer for 'SslMethods' threw an exception. 
---> System.TypeInitializationException: The type initializer for 'Ssl' threw an exception. 
---> System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception. 
---> Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:MODULE_RUN:unknown module name
   at Interop.SslInitializer..cctor()
   --- End of inner exception stack trace ---
   at Interop.SslInitializer.Initialize()
   at Interop.Ssl..cctor()
   --- End of inner exception stack trace ---
   at Interop.Ssl.SslV2_3Method()
   at Interop.Ssl.SslMethods..cctor()
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SafeDeleteSslContext..ctor(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_0(SslClientAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at ArchiSteamFarm.WebBrowser.InternalRequest(Uri requestUri, HttpMethod httpMethod, IReadOnlyCollection`1 data, String referer, HttpCompletionOption httpCompletionOption, Byte maxRedirections)

I've tried to solve this issue through various ways. Using CLR_OPENSSL_VERSION_OVERRIDE=1.1 I'm getting a different one:

Cannot get required symbol CRYPTO_add_lock from libssl
Aborted

Using DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 fixed the problem I was having. CURL and OpenSSL work fine on my machine, I can make all usual https requests and my .NET Core app also has no issues doing them with curl handler.

I've managed to reproduce this on two different machines, both running Debian 10 (testing) x64, second machine being clean VM install. I suspect that this problem might be caused by some Debian libraries update, in particular libssl1.1 package (even though I see no reason why it'd break 1.0.2 usage, but it's the only library that dotnet depends on that got updated recently). For reference:

+++-=================-============-============-===============================================
ii  libssl1.0.2:amd64 1.0.2o-1     amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64   1.1.1-2      amd64        Secure Sockets Layer toolkit - shared libraries

I realize that Debian 10 is not supported as of yet, but this looks like some general libssl compatibility issue that you might be interested in looking into. You should have no problem trying to reproduce this issue on clean Debian Testing install, but if you'd need any further help from me, please let me know.

For completion, this was reproduced on two different SDK versions, latest stable and latest master:

.NET Core SDK (reflecting any global.json):
 Version:   2.1.403
 Commit:    04e15494b6

Runtime Environment:
 OS Name:     debian
 OS Version:
 OS Platform: Linux
 RID:         debian-x64
 Base Path:   /usr/share/dotnet/sdk/2.1.403/

Host (useful for support):
  Version: 2.1.5
  Commit:  290303f510

.NET Core SDKs installed:
  2.1.403 [/usr/share/dotnet/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.5 [/usr/share/dotnet/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.5 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.5 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
.NET Core SDK (reflecting any global.json):
 Version:   3.0.100-alpha1-009708
 Commit:    ce09d64d8a

Runtime Environment:
 OS Name:     debian
 OS Version:
 OS Platform: Linux
 RID:         debian-x64
 Base Path:   /opt/dotnet-test/sdk/3.0.100-alpha1-009708/

Host (useful for support):
  Version: 3.0.0-preview1-27029-03
  Commit:  631e219c26

.NET Core SDKs installed:
  3.0.100-alpha1-009708 [/opt/dotnet-test/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 3.0.0-alpha1-10062 [/opt/dotnet-test/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 3.0.0-alpha1-10062 [/opt/dotnet-test/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 3.0.0-preview1-27029-03 [/opt/dotnet-test/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

Thank you for looking into my issue.

@karelz
Copy link
Member

karelz commented Nov 1, 2018

@bartonjs is it a known problem?

@bartonjs
Copy link
Member

bartonjs commented Nov 1, 2018

CLR_OPENSSL_VERSION_OVERRIDE=1.1 tricks the loader into loading libssl.so.1.1, which .NET Core 2.1 is not capable of working with.

The error is coming out of OpenSSL's initialization. Have you made any changes to /etc/ssl/openssl.cnf ?

@JustArchi
Copy link
Contributor Author

JustArchi commented Nov 1, 2018

@bartonjs thank you for reply. Yes, I know that .NET Core isn't capable of using libssl.so.1.1 yet, I just mentioned it as a possibility.

I didn't do any changes to openssl.cnf, this is stock Debian install. Included full file for reference:

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids

# System default
openssl_conf = default_conf

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certs with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = default               # use public key default MD
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AU
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State

localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
dotnet/corefx#1.organizationName             = Second Organization Name (eg, company)
dotnet/corefx#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

# SET-ex3                       = SET extension number 3

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

basicConstraints = critical,CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1       # the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir             = ./demoCA              # TSA root directory
serial          = $dir/tsaserial        # The current serial number (mandatory)
crypto_device   = builtin               # OpenSSL engine to use for signing
signer_cert     = $dir/tsacert.pem      # The TSA signing certificate
                                        # (optional)
certs           = $dir/cacert.pem       # Certificate chain to include in reply
                                        # (optional)
signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest  = sha256                 # Signing digest to use. (Optional)
default_policy  = tsa_policy1           # Policy if request did not specify it
                                        # (optional)
other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0     # number of digits after dot. (optional)
ordering                = yes   # Is ordering defined for timestamps?
                                # (optional, default: no)
tsa_name                = yes   # Must the TSA name be included in the reply?
                                # (optional, default: no)
ess_cert_id_chain       = no    # Must the ESS cert id chain be included?
                                # (optional, default: no)
ess_cert_id_alg         = sha1  # algorithm to compute certificate
                                # identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

Thanks!

@JustArchi
Copy link
Contributor Author

JustArchi commented Nov 1, 2018

I've done a diff of openssl.cnf between stable (stretch, 1.1.0f-3+deb9u2) and testing (buster, 1.1.1-2), here are the results:

5a6,9
> # Note that you can include other files from the main configuration
> # file using the .include directive.
> #.include filename
>
14a19,21
> # System default
> openssl_conf = default_conf
>
346a354,364
> ess_cert_id_alg               = sha1  # algorithm to compute certificate
>                               # identifier (optional, default: sha1)
> [default_conf]
> ssl_conf = ssl_sect
>
> [ssl_sect]
> system_default = system_default_sect
>
> [system_default_sect]
> MinProtocol = TLSv1.2
> CipherString = DEFAULT@SECLEVEL=2

Could it be related to MinProtocol = TLSv1.2? Perhaps Debian decided to no longer supply (build openssl with) SSLv3 and .NET Core can't find appropriate SSLv2_v3 symbol? Just my blind uneducated guess, trying to help.

@bartonjs
Copy link
Member

bartonjs commented Nov 1, 2018

Looks like the ssl_conf directive, actually.

If you comment out the line

ssl_conf = ssl_sect

Then .NET (and OpenSSL 1.0) will start working again, but the security choices that Debian made will then be ignored.

(Using that openssl.cnf file on Ubuntu 16.04 produces

$ openssl s_client -connect www.microsoft.com:443
Error configuring OpenSSL
139661852980888:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory
139661852980888:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
139661852980888:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:271:module=ssl_conf, path=ssl_conf
139661852980888:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:212:module=ssl_conf

, commenting out ssl_conf makes it succeed)

I'm not sure what a good change on our side would be for 2.1 without just backporting the OpenSSL 1.1 support.

@JustArchi
Copy link
Contributor Author

JustArchi commented Nov 1, 2018

I can confirm that commenting out ssl_conf fixed the issue for me. Thank you so much @bartonjs for help, I really appreciate it.

I'll keep the issue open in case you'd want to add some fix in the .NET Core regarding this. If by any chance you're not interested in doing any of that, please feel free to close the issue at anytime.

Once again thank you! ❤️

@cwebster2
Copy link

I can confirm that this workaround has also solved the issue for me, but would definitely rather see proper library support rather than this workaround. Please see the issue I referenced above to see an example of the impact of this issue.

@netbrain
Copy link

I had problems connecting to a mssql instance in docker, however this solved that issue.

@bartonjs
Copy link
Member

Support for OpenSSL 1.1 was/is-being backported to the 2.1 series with dotnet/corefx#34443; so once a build with that change is available a different workaround would be to set the 1.1 opt-in environment variable.

@JustArchi
Copy link
Contributor Author

JustArchi commented Feb 25, 2019

@bartonjs What is the state of 2.2 series? Is my understanding correct that we can use stock openssl.cnf file with ssl_conf = ssl_sect included as long as CLR_OPENSSL_VERSION_OVERRIDE=1.1 environment variable is specified (which won't be needed in 3.0, as 3.0+ will prefer 1.1 by default)?

Thank you in advance for answering.

@bartonjs
Copy link
Member

@JustArchi 2.2 should automatically get the change from 2.1, if I understand the branch flows correctly. So it, too, should be able to use OpenSSL 1.1.x starting in the next update.

@Daniel15
Copy link

Daniel15 commented Jul 8, 2019

So what's the proper fix here? Does a released version of 2.1 or 2.2 have this fix?

@JustArchi
Copy link
Contributor Author

CLR_OPENSSL_VERSION_OVERRIDE=1.1 is the most appropriate workaround for net core 2.2.

@bartonjs
Copy link
Member

bartonjs commented Jul 8, 2019

CLR_OPENSSL_VERSION_OVERRIDE=1.1 on 2.2.4+ (or 2.1.10+)

@pockets3407
Copy link

@bartonjs @JustArchi where to I put CLR_OPENSSL_VERSION_OVERRIDE=1.1 in order to get it to work?

@JustArchi
Copy link
Contributor Author

@pockets3407 See the wiki entry for my program, as it applies to the whole OS - https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Compatibility#debian-buster-upgrade

@bartonjs
Copy link
Member

bartonjs commented Aug 2, 2019

@pockets3407 It's an environment variable. For bash you can set it for your command shell

$ export CLR_OPENSSL_VERSION_OVERRIDE=1.1
$ dotnet run

Or you can apply it to one process invocation:

$ CLR_OPENSSL_VERSION_OVERRIDE=1.1 dotnet run

Or you can set it (and export it) via ~/.bashrc, ~/.bash_profile, /etc/profile, et cetera.

@pockets3407
Copy link

pockets3407 commented Aug 2, 2019

@bartonjs I entered that in and it said "Cannot get required symbol CRYPTO_add_lock from libsll." Any way to fix this. I am trying to run a program through my raspberry pi 3b+

@serbrech
Copy link

serbrech commented Sep 6, 2019

@bartonjs I entered that in and it said "Cannot get required symbol CRYPTO_add_lock from libsll." Any way to fix this. I am trying to run a program through my raspberry pi 3b+

Same here. I'm trying to run the azure pipeline agent in a debian10 container. I installed dotnet runtime 3.0-preview9 hoping this would be be resolved, but I hit the same issue :

root@4a8f001fae84:/azp# apt list --installed | grep ssl
libssl1.1/stable,now 1.1.1c-1 amd64 [installed]
openssl/stable,now 1.1.1c-1 amd64 [installed,automatic]
root@4a8f001fae84:/azp# ./start.sh
1. Determining matching Azure Pipelines agent...
2. Downloading and installing Azure Pipelines agent...
3. Configuring Azure Pipelines agent...

>> Connect:

No usable version of the libssl was found
./config.sh: line 86:    66 Aborted                 ./bin/Agent.Listener configure "$@"
root@4a8f001fae84:/azp# export CLR_OPENSSL_VERSION_OVERRIDE=1.1
root@4a8f001fae84:/azp# ./start.sh 
1. Determining matching Azure Pipelines agent...
2. Downloading and installing Azure Pipelines agent...
3. Configuring Azure Pipelines agent...

>> Connect:

Cannot get required symbol CRYPTO_add_lock from libssl
./config.sh: line 86:   134 Aborted                 ./bin/Agent.Listener configure "$@"

# commenting out the ssl_conf = ssl_sect
root@4a8f001fae84:/azp# sed -i -e's/ssl_conf = ssl_sect/# ssl_conf = ssl_sect/' /etc/ssl/openssl.cnf
root@4a8f001fae84:/azp# grep 'ssl_conf = ssl_sect' /etc/ssl/openssl.cnf 
# ssl_conf = ssl_sect
root@4a8f001fae84:/azp# ./start.sh 
1. Determining matching Azure Pipelines agent...
2. Downloading and installing Azure Pipelines agent...
3. Configuring Azure Pipelines agent...

>> Connect:

Cannot get required symbol CRYPTO_add_lock from libssl
./config.sh: line 86:   208 Aborted                 ./bin/Agent.Listener configure "$@"

@msftgits msftgits transferred this issue from dotnet/corefx Jan 31, 2020
@msftgits msftgits added this to the 3.0 milestone Jan 31, 2020
@agbarbosa
Copy link

Looks like the ssl_conf directive, actually.

If you comment out the line

ssl_conf = ssl_sect

Then .NET (and OpenSSL 1.0) will start working again, but the security choices that Debian made will then be ignored.

(Using that openssl.cnf file on Ubuntu 16.04 produces

$ openssl s_client -connect www.microsoft.com:443
Error configuring OpenSSL
139661852980888:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory
139661852980888:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
139661852980888:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:271:module=ssl_conf, path=ssl_conf
139661852980888:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:212:module=ssl_conf

, commenting out ssl_conf makes it succeed)

I'm not sure what a good change on our side would be for 2.1 without just backporting the OpenSSL 1.1 support.

This was exactly the solution for my case! Thanks

@ghost ghost locked as resolved and limited conversation to collaborators Dec 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

11 participants